Computer implemented system and method for sharing a common secret

ABSTRACT

For a first node, second common secrets common to the first node are determined. A second node, is determined at the first node based on a first private key of the first node and a first public key of the second node and is determined at the second node based on the first private key of the second node and the first public key of the first node. A third common secret common to the second node and a third node is determined for the second node. Shares of the first common secret known to the first node are encrypted at the first node. The encrypted shares are sent to the second nodes. Encrypted shares of the first common secret are received at the first node from the second node to enable each of the nodes to reach a threshold number of shares of the first common secret.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. Pat. Application No. 17/278,198, filed Mar. 19, 2021, entitled “COMPUTER IMPLEMENTED SYSTEM AND METHOD FOR SHARING A COMMON SECRET,” which is a 371 National Stage of International Patent Application No. PCT/IB2019/057632, filed Sep. 11, 2019, which claims priority to United Kingdom Patent Application No. 1815396.5, filed Sep. 21, 2018, the disclosures of which are incorporated herein by reference in their entirety.

BACKGROUND

This disclosure relates generally to a method of sharing a common secret among a plurality of nodes, and more particularly to a method of sharing a common secret among at least three nodes. The disclosure is particularly suited, but not limited to, use in cryptography to enable secure communication between the nodes, and may be suited for use with, but not limited to, digital wallets, blockchain (e.g., : Bitcoin) technologies and personal device security.

SUMMARY

In this document we use the term ‘blockchain’ to include all forms of electronic, computer-based, distributed ledgers. These include consensus-based blockchain and transaction-chain technologies, permissioned and un-permissioned ledgers, shared ledgers and variations thereof. The most widely known application of blockchain technology is the Bitcoin ledger, although other blockchain implementations have been proposed and developed. While Bitcoin may be referred to herein for the purpose of convenience and illustration, it should be noted that the disclosure is not limited to use with the Bitcoin blockchain and alternative blockchain implementations and protocols fall within the scope of the present disclosure. The term “user” may refer herein to a human or a processor-based resource.

A blockchain is a peer-to-peer, electronic ledger which is implemented as a computer-based decentralised, distributed system made up of blocks which in turn are made up of transactions. Each transaction is a data structure that encodes the transfer of control of a digital asset between participants in the blockchain system, and includes at least one input and at least one output. Each block contains a hash of the previous block so that blocks become chained together to create a permanent, unalterable record of all transactions which have been written to the blockchain since its inception. Transactions contain small programs known as scripts embedded into their inputs and outputs, which specify how and by whom the outputs of the transactions can be accessed. On the Bitcoin platform, these scripts are written using a stack-based scripting language.

In order for a transaction to be written to the blockchain, it must be “validated”. Network nodes (miners) perform work to ensure that each transaction is valid, with invalid transactions rejected from the network. Software clients installed on the nodes perform this validation work on an unspent transaction (UTXO) by executing its locking and unlocking scripts. If execution of the locking and unlocking scripts evaluate to TRUE, the transaction is valid and the transaction is written to the blockchain. Thus, in order for a transaction to be written to the blockchain, it must be i) validated by the first node that receives the transaction - if the transaction is validated, the node relays it to the other nodes in the network; and ii) added to a new block built by a miner; and iii) mined, i.e. added to the public ledger of past transactions.

Although blockchain technology is most widely known for the use of cryptocurrency implementation, digital entrepreneurs have begun exploring the use of both the cryptographic security system Bitcoin is based on and the data that can be stored on the Blockchain to implement new systems. It would be highly advantageous if the blockchain could be used for automated tasks and processes which are not limited to the realm of cryptocurrency. Such solutions would be able to harness the benefits of the blockchain (e.g., a permanent, tamper proof records of events, distributed processing etc.) while being more versatile in their applications.

International patent application WO 2017/145016 discloses a method of sharing a common secret between two nodes to enable secure communication between the nodes. However, it is desirable to provide a method of sharing a common secret among more than two nodes.

Such an improved solution has now been devised.

Thus, in accordance with the present disclosure, there is provided a method as defined in the appended claims.

In accordance with the disclosure there may be provided a method of sharing a first common secret among a plurality of nodes, wherein each said node is associated with a respective asymmetric cryptography first key pair having a respective first private key and a respective first public key of a cryptography system common to said plurality of nodes, and wherein the first common secret is based on the first private key of each of said nodes, the method comprising:-

-   determining, for at least one first node, a plurality of second     common secrets, wherein each said second common secret is common to     said first node and a respective second node, is determined at said     first node on the basis of the first private key of the first node     and the first public key of the second node, and is determined at     the second node on the basis of the first private key of the second     node and the first public key of the first node, wherein a plurality     of shares of the first common secret are each based on at least one     respective second common secret such that said first common secret     is accessible to a threshold number of said shares but is     inaccessible to less than said threshold number of shares;     determining, for at least one second node, at least one respective     third common secret, wherein the or each respective third common     secret is common to said second node and a respective third node, is     determined at said second node on the basis of the first private key     of the second node and the first public key of the third node, and     is determined at the third node on the basis of the first private     key of the third node and the first public key of the second node,     and wherein at least one share of the first common secret is based     on at least one respective said third common secret; encrypting, at     least one said first node, at least one share of said first common     secret known to said first node, on the basis of a second private     key of a respective asymmetric cryptography second key pair of a     cryptography system, wherein said second key pair is based on a     respective said second common secret known to said first node; -   sending at least one said encrypted share from said first node to     the respective said second node with which the second common secret     on which said second key paid is based is common; and receiving, at     least one said first node, from at least one said second node, at     least one respective share of said first secret known to said second     node and encrypted on the basis of a second private key of a     respective asymmetric cryptography second key pair of said     cryptography system, wherein said second key pair is based on the     second common secret common to said first node and said second node,     to enable each of said plurality of nodes to reach said threshold     number of shares of said first common secret.

This provides the advantage of providing an efficient method of sharing a common secret between the plurality of nodes, which can then be used as the basis of secure communication between the nodes.

A plurality of said encrypted shares may be each based on a combination of a plurality of said common secrets known to the corresponding said node.

This provides the advantage of improving efficiency, while also enabling the individual common secrets to be obscured to third parties, thereby improving privacy, for example when the shared secrets are included in scripts of blockchain transactions.

A plurality of said encrypted shares may each be based on at least one respective XOR combination of a plurality of said common secrets known to the corresponding said node.

This provides the advantage of being simple to process, thereby enabling simple recovery of the first common secret by a recipient node.

A plurality of said encrypted shares may be based on multiplicative combination of a plurality of said common secrets known to the corresponding said node.

The multiplicative combination may be of the form (x1. x2. x3) mod n, wherein x1, x2, x3 are common secrets known to a node, and n is the order of a cryptography system.

A plurality of said shares may be shares of a first polynomial function, and the first secret may be determined by means of polynomial interpolation of at least a threshold number of said shares.

The method may further comprise:

-   receiving at least a threshold number of shares of said first common     secret, wherein each said share corresponds to a respective value of     the first polynomial function; and -   determining said first polynomial function, by means of determining     coefficients of the first polynomial function from a plurality of     known values of said shares, to determine said first common secret.

The step of determining said first polynomial function may comprise executing an error correction algorithm.

The step of determining said first polynomial function may comprise executing a Berlekamp-Welch decoding algorithm.

The step of determining said first polynomial function may comprise:

defining an error locator polynomial function and a second polynomial function, wherein the second polynomial function is a product of said first polynomial function and said error locator polynomial function, determining coefficients of said second polynomial function and said error locator polynomial function from a plurality of known values of said partial signatures, and determining said first polynomial function from said second polynomial function and said error detector polynomial function, to determine the first common secret.

At least one said cryptography system may have a homomorphic property.

This provides the advantage of enabling more flexible and efficient operation of the method.

At least one said cryptography system may be an elliptic curve cryptography system.

This provides the advantage of high security for a given key size.

The method may further comprise determining said first private key of at least one said first node based on at least a first node master private key (V1C) and a deterministic key (DK) common with the first and second nodes;

-   determining said first public key of at least one said second node     (P_(2S)) based on a master public key (P_(1S)) of the second node     and encryption of the deterministic key (DK) using the common     cryptography system.

The deterministic key (DK) may be based on a message (M).

The method may further comprise:

-   generating a first signed message (SM1) based on the message (M) and     the first private key of the first node (V_(2C)); and -   sending, over the communications network, the first signed message     (SM1) to the second node (S),     -   wherein the first signed message (SM1) can be validated with a         first public key of the first node (P_(2C)) to authenticate the         first node (C).

The method may further comprise:

-   receiving, over the communications network, a second signed message     (SM2) from the second node (S); -   validating the second signed message (SM2) with the first public key     of the second node (P2S); and -   authenticating the second node (S) based on the result of validating     the second signed message (SM2),     -   wherein the second signed message (SM2) was generated based on         the message (M), or a second message (M2), and the first private         key of the second node (V_(2S)).

The method may further comprise:

-   generating a message (M); and -   sending, over a communications network, the message (M) to the     second node (S).

The method may further comprise:

-   receiving the message (M), over the communications network, from the     second node (S).

The method may further comprise:

-   receiving the message (M), over the communications network, from     another node.

The method may comprise:

-   receiving the message (M) from a data store, and/or an input     interface associated with the first node (C).

The cryptography system may be an elliptic curve cryptography (ECC) system and the first node master public key (P_(1C)) and second node master public key (P_(1S)) may be based on elliptic curve point multiplication of respective first node master private key (V_(1C)) and second node master private key (V_(1S)) and a generator (G).

The method may further comprise the steps of:

-   receiving, over the communications network, the second node master     public key (P_(1S)); and -   storing, at a data store associated with the first node (C), the     second node master public key (P_(1S)).

The method may further comprise the steps of:

-   generating, at a first node (C), the first node master private key     (V_(1C)) and the first node master public key (P_(1C)); -   sending, over the communications network, the first node master     public key (P_(1C)) to the second node (S) and/or other node; and -   storing, in a first data store associated with the first node (C),     the first node master private key (V_(1C)).

The method may further comprise:

-   sending, over the communications network, to the second node, a     notice indicative of using a common cryptography system for the     method of determining at least one said common secret (CS), and     -   wherein the step of generating the first node master private key         (V_(1C)) and the first node master public key (P_(1C))         comprises:         -   generating the first node master private key (V_(1C)) based             on a random integer in an allowable range specified in the             common cryptography system; and         -   determining the first node master public key (P_(1C)) based             on encryption of the first node master private key (V_(1C)).

The common cryptography system may be an elliptic curve cryptography (ECC) system with a common generator (G) and the first node master public key (P_(1C)) may be determined based on elliptic curve point multiplication of the first node master private key (V_(1C)) and the common generator (G) according to the following formula:

P_(1C) = V_(1C) × G.

The method may further comprise:

-   determining the deterministic key (DK) based on determining a hash     of the message (M), and     -   wherein the step of determining the first private key of the         first node (V2C) is based on a scalar addition of the first node         master private key (V_(1C)) and the deterministic key (DK)         according to the following formula:     -   V_(2C) = V_(1C) + DK, and     -   wherein the step of determining the first public key of the         second node (P2S) is based on the second node master public key         (P_(1S)) with elliptic curve point addition to the elliptic         curve point multiplication of the deterministic key (DK) and the         common generator (G) according to the following formula:     -   P_(2S) = P_(1S) + DK× G.

The deterministic key (DK) may be based on determining a hash of a previous deterministic key.

The disclosure may also provide a method of secure communication between a plurality of nodes, wherein the method comprises:

-   determining a first common secret by means of a method as defined     above; -   determining a symmetric-key based on the common secret; -   encrypting a first communication message, with the symmetric-key, to     an encrypted first communication message; and -   sending, over a communications network, the encrypted first     communication message from one of said plurality of nodes to the     other nodes of said plurality of nodes.

The method further may comprise:

-   receiving, over a communications network, an encrypted second     communication message from a node of said plurality of nodes; and -   decrypting the encrypted second communication message, with the     symmetric-key, to a second communication message.

The disclosure may further provide a method of performing an online transaction between a plurality of nodes, wherein the method comprises:

-   determining a first common secret by means of a method as defined     above; -   determining a symmetric-key based on the first common secret; -   encrypting a first transaction message, with the symmetric-key, to     an encrypted first transaction message; -   sending, over a communications network, the encrypted first     transaction message from a first node of said plurality of nodes to     the other nodes of said plurality of nodes.

The disclosure also provides a system, comprising:

-   a processor; and -   memory including executable instructions that, as a result of     execution by the processor, causes the system to perform any     embodiment of the computer-implemented method described herein.

The disclosure also provides a non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least perform an embodiment of the computer-implemented method described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects of the present disclosure will be apparent from and elucidated with reference to, the embodiment described herein. An embodiment of the present disclosure will now be described, by way of example only, and with reference to the accompanying drawings, in which:

FIG. 1 is a schematic diagram of an example system to determine a common secret for a first node and second node;

FIG. 2 is a flow chart of computer-implemented methods for determining a common secret;

FIG. 3 is a flow chart of computer-implemented methods to register the first and second nodes;

FIG. 4 is another flow chart of computer-implemented methods for determining a common secret;

FIG. 5 is a flow chart of computer-implemented methods of secure communication between the first node and second node;

FIG. 6 is a flow chart of computer implemented methods to authenticate the first node and the second node;

FIG. 7 is a diagram showing a method embodying the present disclosure for sharing a common secret between three nodes;

FIG. 8 is a flow chart of the method of FIG. 7 ;

FIG. 9 shows a Berlekamp-Welch decoder for recovering a first common secret in a method embodying the present disclosure;

FIG. 10 is a flow chart of a method embodying the present disclosure for sharing a common secret between four nodes; and

FIG. 11 is a schematic diagram illustrating a computing environment in which various embodiments can be implemented.

DETAILED DESCRIPTION

Firstly, a method, device and system to determine a common secret (CS) at a first node (C) that is the same common secret at a second node (S) will now be described. This is used to determine a second common secret between a pair of nodes, which is then used to share a first common secret among a plurality of nodes comprising three or more nodes, as described in more detail below with reference to FIGS. 7 and 8 . FIG. 1 illustrates a system 1 that includes a first node 3 that is in communication with, over a communications network 5, with a second node 7. The first node 3 has an associated first processing device 23 and the second node 5 has an associated second processing device 27. The first and second nodes 3, 7 may include an electronic device, such as a computer, tablet computer, mobile communication device, computer server etc. In one example, the first node 3 may be a client device and the second node 7 a server.

The first node 3 is associated with a first asymmetric cryptography pair having a first node master private key (V_(1C)) and a first node master public key (P_(1C)). The second node (7) is associated with a second asymmetric cryptography pair having a second node master private key (V_(1S)) and a second node master public key (P_(1S)). The first and second asymmetric cryptography pairs for the respective first and second nodes 3, 7 may be generated during registration. Methods of registration 100, 200 performed by the first and second nodes 3, 7 will be described in further detail below with reference to FIG. 3 . The public key for each node may be shared publicly, such as over the communications network 5.

To determine the common secret (CS) at both the first node 3 and second node 7, the nodes 3, 7 perform steps of respective methods 300, 400 without communicating private keys over the communications network 5.

The method 300 performed by the first node 3 includes determining 330 a first node second private key (V_(2C)) based on at least the first node master private key (V_(1C)) and a deterministic key (DK). The deterministic key may be based on a message (M) that is a shared between the first and second nodes, which may include sharing the message over the communications network 5 as described in further detail below. The method 300 also includes determining 370 a second node second public key (P_(2S)) based on at least the second node master public key (P_(1S)) and the deterministic key (DK). The method 300 includes determining 380 the common secret (CS) based on the first node second private key (V_(2C)) and the second node second public key (P_(2S)).

Importantly, the same common secret (CS) can also be determined at the second node 7 by method 400. The method 400 determining 430 a first node second public key (P_(2C)) based on the first node master public key (P_(1C)) and the deterministic key (DK). The method 400 further includes determining 470 a second node second private key (V_(2S)) based on the second node master private key (V_(1S)) and the deterministic key (DK). The method 400 includes determining 480 the common secret (CS) based on the second node second private key (V_(2S)) and the first node second public key (P_(2C)).

The communications network 5, may include a local area network, a wide area network, cellular networks, radio communication network, the internet, etc. These networks, where data may be transmitted via communications medium such as electrical wire, fibre optic, or wirelessly may be susceptible to eavesdropping, such as by an eavesdropper 11. The method 300, 400 may allow the first node 3 and second node 7 to both independently determine a common secret without transmitting the common secret over the communications network 5. Thus one advantage is that the common secret (CS) may be determined securely by each node without having to transmit a private key over a potentially unsecure communications network 5. In turn, the common secret may be used as a secret key (or as the basis of a secret key) for encrypted communication between the first and second nodes 3, 7 over the communications network 5.

The methods 300, 400 may include additional steps. The method 300 may include, at the first node 3, generating a signed message (SM1) based on the message (M) and the first node second private key (V_(2C)). The method 300 further includes sending 360 the first signed message (SM1), over the communications network, to the second node 7. In turn, the second node 7 may perform the steps of receiving 440 the first signed message (SM1). The method 400 also includes the step of validating 450 the first signed message (SM1) with the first node second public key (P_(2C)) and authenticating 460 the first node 3 based on the result of validating the first signed message (SM1). Advantageously, this allows the second node 7 to authenticate that the purported first node (where the first signed message was generated) is the first node 3. This is based on the assumption that only the first node 3 has access to the first node master private key (V_(1C)) and therefore only the first node 3 can determine the first node second private key (V_(2C)) for generating the first signed message (SM1). It is to be appreciated that similarly, a second signed message (SM2) can be generated at the second node 7 and sent to the first node 3 such that the first node 3 can authenticate the second node 7, such as in a peer-to-peer scenario.

Sharing the message (M) between the first and second nodes may be achieved in a variety of ways. In one example, the message may be generated at the first node 3 which is then sent, over the communications network 5, the second node 7. Alternatively, the message may be generated at the second node 7 and then sent, over the communications network 5, to the second node 7. In yet another example, the message may be generated at a third node 9 and the message sent to both the first and second nodes 3, 7. In yet another alternative, a user may enter the message through a user interface 15 to be received by the first and second nodes 3, 7. In yet another example, the message (M) may be retrieved from a data store 19 and sent to the first and second nodes 3, 7. In some examples, the message (M) may be public and therefore may be transmitted over an unsecure network 5.

In further examples, one or more messages (M) may be stored in a data store 13, 17, 19, where the message may be associated with a session, transaction, etc, between the first node 3 and the second node 7. Thus the messages (M) may be retrieved and used to recreate, at the respective first and second nodes 3, 7, the common secret (CS) associated with that session, or transaction. Advantageously, a record to allow recreation of the common secret (CS) may be kept without the record by itself having to be stored privately or transmitted securely. This may be advantageous if numerous transactions are performed at the first and second nodes 3, 7 and it would be impractical to store all the messages (M) at the nodes themselves.

Method of Registration 100, 200

An example of a method of registration 100, 200 will be described with reference to FIG. 3 , where method 100 is performed by the first node 3 and method 200 is performed by the second node 7. This includes establishing the first and second asymmetric cryptography pairs for the respective first and second nodes 3, 7.

The asymmetric cryptography pairs include associated private and public keys, such as those used in public-key encryption. In this example, the asymmetric cryptography pairs are generated using Elliptic Curve Cryptography (ECC) and properties of elliptic curve operations.

Standards for ECC may include known standards such as those described by the Standards for Efficient Cryptography Group (www.sceg.org). Elliptic curve cryptography is also described in US 5,600,725, US 5,761,305, US 5889,865, US 5,896,455, US 5,933,504, y, US6,141,420, US 6,618,483, US 6,704,870, US 6,785,813, US 6,078,667, US 6,792,530.

In the method 100, 200, this includes the first and second nodes settling 110, 210 to a common ECC system and using a common generator (G). In one example, the common ECC system may be based on secp256K1 which is an ECC system used by Bitcoin. The common generator (G) may be selected, randomly generated, or assigned.

Turning now to the first node 3, the method 100 includes settling 110 on the common ECC system and common generator (G). This may include receiving the common ECC system and common generator from the second node 7, or a third node 9. Alternatively, a user interface 15 may be associated with the first node 3, whereby a user may selectively provide the common ECC system and/or common generator (G). In yet another alternative one or both of the common ECC system and/or common generator (G) may be randomly selected by the first node 3. The first node 3 may send, over the communications network 5, a notice indicative of using the common ECC system with a common generator (G) to the second node 7. In turn, the second node 7 may settle 210 by sending a notice indicative of an acknowledgment to using the common ECC system and common generator (G).

The method 100 also includes the first node 3 generating 120 a first asymmetric cryptography pair that includes the first node master private key (V_(1C)) and the first node master public key (P_(1C)). This includes generating the first node master private key (V_(1C)) based, at least in part, on a random integer in an allowable range specified in the common ECC system. This also includes determining the first node master public key (P_(1C)) based on elliptic curve point multiplication of the first node master private key (V_(1C)) and the common generator (G) according to the formula:

$\begin{matrix} {\text{P}_{1\text{C}} = \text{V}_{\text{1C}} \times \text{G}} & \text{­­­(Equation 1)} \end{matrix}$

Thus the first asymmetric cryptography pair includes:

-   V1C : The first node master private key that is kept secret by the     first node. -   P1C: The first node master public key that is made publicly known.

The first node 3 may store the first node master private key (V_(1C)) and the first node master public key (P_(1C)) in a first data store 13 associated with the first node 3. For security, the first node master private key (V_(1C)) may be stored in a secure portion of the first data store 13 to ensure the key remains private.

The method 100 further includes sending 130 the first node master public key (P_(1C)), over the communications network 5, to the second node 7. The second node 7 may, on receiving 220 the first node master public key (P_(1C)), store 230 the first node master public key (P_(1C)) in a second data store 17 associated with the second node 7.

Similar to the first node 3, the method 200 of the second node 7 includes generating 240 a second asymmetric cryptography pair that includes the second node master private key (V_(1S)) and the second node master public key (P_(1S)).The second node master private key (V_(1S)) is also a random integer within the allowable range. In turn, the second node master public key (P_(1S)) is determined by the following formula:

$\begin{matrix} {\text{P}_{1\text{S}} = \text{V}_{\text{1S}} \times \text{G}} & \text{­­­(Equation 2)} \end{matrix}$

Thus the second asymmetric cryptography pair includes:

-   V1S : The second node master private key that is kept secret by the     second node. -   P1S: The second node master public key that is made publicly known.

The second node 7 may store the second asymmetric cryptography pair in the second data store 17. The method 200 further includes sending 250 the second node master public key (P_(1S)) to the first node 3. In turn, the first node 3 may receive 140 and stores 150 the second node master public key (P_(1S)).

It is to be appreciated that in some alternatives, the respective public master keys may be received and stored at a third data store 19 associate with the third node 9 (such as a trusted third party). This may include a third party that acts as a public directory, such as a certification authority. Thus in some examples, the first node master public key (P_(1C)) may requested and received by the second node 7 only when determining the common secret (CS) is required (and vice versa).

The registration steps may only need to occur once as an initial setup. Afterwards, the master keys can be reused in a secure matter to generate common secret(s) that are dependent, inter alia, on the deterministic key (DK).

Session Initiation and Determining the Common Secret by the First Node 3

An example of determining a common secret (CS) will now be described with reference to FIG. 4 . The common secret (CS) may be used for a particular session, time, transaction, or other purpose between the first node 3 and the second node 7 and it may not be desirable, or secure, to use the same common secret (CS). Thus the common secret (CS) may be changed between different sessions, time, transactions, etc.

Generating a Message (M) 310

In this example, the method 300 performed by the first node 3 includes generating 310 a message (M). The message (M) may be random, pseudo random, or user defined. In one example, the message (M) is based on Unix time and a nonce (and arbitrary value). For example, the message (M) may be provided as:

$\begin{matrix} {\text{Message}\mspace{6mu}\left( \text{M} \right) = \text{UnixTime} + \text{nonce}} & \text{­­­(Equation 3)} \end{matrix}$

In some examples, the message (M) is arbitrary. However it is to be appreciated that the message (M) may have selective values (such as Unix Time, etc) that may be useful in some applications.

The method 300 includes sending 315 the message (M), over the communications network 3, to the second node 7. The message (M) may be sent over an unsecure network as the message (M) does not include information on the private keys.

Determining a Deterministic Key 320

The method 300 further includes the step of determining 320 a deterministic key (DK) based on the message (M). In this example, this includes determining a cryptographic hash of the message. An example of a cryptographic hash algorithm includes SHA-256 to create a 256-bit deterministic key (DK). That is:

$\begin{matrix} {\text{DK}\mspace{6mu}\text{=}\mspace{6mu}\text{SHA-256}\left( \text{M} \right)} & \text{­­­(Equation 4)} \end{matrix}$

It is to be appreciated that other hash algorithms may be used. This may include other has algorithms in the Secure Hash Algorithm (SHA) family. Some particular examples include instances in the SHA-3 subset, including SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256. Other hash algorithms may include those in the RACE Integrity Primitives Evaluation Message Digest (RIPEMD) family. A particular example may include RIPEMD-160. Other hash functions may include families based on Zémor-Tillich hash function and knapsack-based hash functions.

Determining a First Node Second Private Key 330

The method 300 then includes the step 330 of determining 330 the first node second private key (V_(2C)) based on the second node master private key (V_(1C)) and the deterministic key (DK). This can be based on a scalar addition of the first node master private key (V_(1C)) and the deterministic key (DK) according to the following formula:

$\begin{matrix} {\text{V}_{2\text{C}} = \text{V}_{1\text{C}} + \text{DK}} & \text{­­­(Equation 5)} \end{matrix}$

Thus the first node second private key (V_(2C)) is not a random value but is instead deterministically derived from the first node master private key. The corresponding public key in the cryptographic pair, namely the first node second public key (P_(2C)), has the following relationship:

$\begin{matrix} {\text{P}_{2\text{C}} = \text{V}_{\text{2C}} \times \text{G}} & \text{­­­(Equation 6)} \end{matrix}$

Substitution of V_(2C) from Equation 5 into Equation 6 provides:

$\begin{matrix} {\text{P}_{2\text{C}} = \left( {\text{V}_{1\text{C}} + \text{DK}} \right) \times \text{G}} & \text{­­­(Equation 7)} \end{matrix}$

Where the ‘ + ’ operator refers to scalar addition and the ‘x’ operator refers to elliptic curve point multiplication. Noting that elliptic curve cryptography algebra is distributive, Equation 7 may be expressed as:

$\begin{matrix} {\text{P}_{2\text{C}} = \text{V}_{\text{1C}} \times \text{G}\mspace{6mu}\text{+}\mspace{6mu}\text{DK}\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 8)} \end{matrix}$

Finally, Equation 1 may be substituted into Equation 7 to provide:

$\begin{matrix} {\text{P}_{2\text{C}} = \text{P}_{\text{1C}}\mspace{6mu} + \text{DK}\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 9.1)} \end{matrix}$

$\begin{matrix} {\text{P}_{2\text{C}} = \text{P}_{\text{1C}}\mspace{6mu} + \text{SHA-256}\left( \text{M} \right)\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 9.2)} \end{matrix}$

In equations 8 to 9.2, the ‘ + ’ operator refers to elliptic curve point addition. Thus the corresponding first node second public key (P_(2C)) can be derivable given knowledge of the first node master public key (P_(1C)) and the message (M). The second node 7 may have such knowledge to independently determine the first node second public key (P_(2C)) as will be discussed in further detail below with respect to the method 400.

Generate a First Signed Message (SM1) Based on the Message and the First Node Second Private Key 350

The method 300 further includes generating 350 a first signed message (SM1) based on the message (M) and the determined first node second private key (V_(2C)). Generating a signed message includes applying a digital signature algorithm to digitally sign the message (M). In one example, this includes applying the first node second private key (V_(2C)) to the message in an Elliptic Curve Digital Signature Algorithm (ECDSA) to obtain the first signed message (SM1).

Examples of ECDSA include those based on ECC systems with secp256k1, secp256r1, secp384r1, se3cp521r1.

The first signed message (SM1) can be verified with the corresponding first node second public key (P_(2C)) at the second node 7. This verification of the first signed message (SM1) may be used by the second node 7 to authenticate the first node 3, which will be discussed in the method 400 below.

Determine a Second Node Second Public Key 370′

The first node 3 may then determine 370 a second node second public key (P_(2S)). As discussed above, the second node second public key (P_(2S)) may be based at least on the second node master public key (P_(1S)) and the deterministic key (DK). In this example, since the public key is determined 370′ as the private key with elliptic curve point multiplication with the generator (G), the second node second public key (P_(2S)) can be expressed, in a fashion similar to Equation 6, as:

$\begin{matrix} {\text{P}_{2\text{S}} = \text{V}_{\text{2S}} \times \text{G}} & \text{­­­(Equation 10.1)} \end{matrix}$

$\begin{matrix} {\text{P}_{2\text{S}} = \text{P}_{\text{1S}}\mspace{6mu} + \text{DK}\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 10.2)} \end{matrix}$

The mathematical proof for Equation 10.2 is the same as described above for deriving Equation 9.1 for the first node second public key (P_(2C)). It is to be appreciated that the first node 3 can determine 370 the second node second public key independently of the second node 7.

Determine the Common Secret 380 at the First Node 3

The first node 3 may then determine 380 the common secret (CS) based on the determined first node second private key (V_(2C)) and the determined second node second public key (P_(2S)). The common secret (CS) may be determined by the first node 3 by the following formula:

$\begin{matrix} {\text{S} = \text{V}_{2\text{C}} \times \text{P}_{2\text{S}}} & \text{­­­(Equation 11)} \end{matrix}$

Method 400 Performed at the Second Node 7

The corresponding method 400 performed at the second node 7 will now be described. It is to be appreciated that some of these steps are similar to those discussed above that were performed by the first node 3.

The method 400 includes receiving 410 the message (M), over the communications network 5, from the first node 3. This may include the message (M) sent by the first node 3 at step 315. The second node 7 then determines 420 a deterministic key (DK) based on the message (M). The step of determining 420 the deterministic key (DK) by the second node 7 is similar to the step 320 performed by the first node described above. In this example, the second node 7 performs this determining step 420 independent of the first node 3.

The next step includes determining 430 a first node second public key (P_(2C)) based on the first node master public key (P_(1C)) and the deterministic key (DK). In this example, since the public key is determined 430′ as the private key with elliptic curve point multiplication with the generator (G), the first node second public key (P_(2C)) can be expressed, in a fashion similar to Equation 9, as:

$\begin{matrix} {\text{P}_{2\text{C}} = \text{V}_{\text{2C}} \times \text{G}} & \text{­­­(Equation 12.1)} \end{matrix}$

$\begin{matrix} {\text{P}_{2\text{C}} = \text{P}_{\text{1C}}\mspace{6mu} + \text{DK}\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 12.2)} \end{matrix}$

The mathematical proof for Equations 12.1 and 12.2 is the same as those discussed above for Equations 10.1 and 10.2.

The Second Node 7 Authenticating the First Node 3

The method 400 may include steps performed by the second node 7 to authenticate that the alleged first node 3, is the first node 3. As discussed previously, this includes receiving 440 the first signed message (SM1) from the first node 3. The second node 7 may then validate 450 the signature on the first signed message (SM1) with the first node second public key (P_(2C)) that was determined at step 430.

Verifying the digital signature may be done in accordance with an Elliptic Curve Digital Signature Algorithm (ECDSA) as discussed above. Importantly, the first signed message (SM1) that was signed with the first node second private key (V_(2C)) should only be correctly verified with the corresponding first node second public key (P_(2C)), since V_(2C) and P_(2C) form a cryptographic pair. Since these keys are deterministic on the first node master private key (V_(1C)) and the first node master public key (P_(1C)) that were generated at registration of the first node 3, verifying first signed message (SM1) can be used as a basis of authenticating that an alleged first node sending the first signed message (SM1) is the same first node 3 during registration. Thus the second node 7 may further perform the step of authenticating (460) the first node 3 based on the result of validating (450) the first signed message.

The above authentication may be suitable for scenarios where one of the two nodes are a trusted node and only one of the nodes need to be authenticated. For example, the first node 3 may be a client and the second node 7 may be a server trusted by the client. Thus the server (second node 7) may need to authenticate the credentials of the client (first node 3) in order to allow the client access to the server system. It may not be necessary for the server to be authenticate the credentials of the server to the client. However in some scenarios, it may be desirable for both nodes to be authenticated to each other, such as in a peer-to-peer scenario that will be described in another example below.

The Second Node 7 Determining the Common Secret

The method 400 may further include the second node 7 determining 470 a second node second private key (V_(2S)) based on the second node master private key (V_(1S)) and the deterministic key (DK). Similar to step 330 performed by the first node 3, the second node second private key (V_(2S)) can be based on a scalar addition of the second node master private key (V_(1S)) and the deterministic key (DK) according to the following formulas:

$\begin{matrix} {\text{V}_{2\text{S}} = \text{V}_{1\text{S}} + \text{DK}} & \text{­­­(Equation 13.1)} \end{matrix}$

$\begin{matrix} {\text{V}_{2\text{S}} = \text{V}_{1\text{S}} + \text{SHA-256}\left( \text{M} \right)} & \text{­­­(Equation 13.2)} \end{matrix}$

The second node 7 may then, independent of the first node 3, determine 480 the common secret (CS) based on the second node second private key (V_(2S)) and the first node second public key (P_(2C)) based on the following formula:

$\begin{matrix} {\text{S} = \text{V}_{2\text{S}} \times \text{P}_{2\text{C}}} & \text{­­­(Equation 14)} \end{matrix}$

Proof of the Common Secret (CS) Determined by the First Node 3 and Second Node 7

The common secret (CS) determined by the first node 3 is the same as the common secret (CS) determined at the second node 7. Mathematical proof that Equation 11 and Equation 14 provide the same common secret (CS) will now be described.

Turning to the common secret (CS) determined by the first node 3, Equation 10.1 can be substituted into Equation 11 as follows:

$\begin{matrix} {\text{S} = \text{V}_{2\text{C}} \times \text{P}_{2\text{S}}} & \text{­­­(Equation 11)} \end{matrix}$

S = V_(2C) × (V_(2S) × G)

$\begin{matrix} {\text{S} = \left( {\text{V}_{2\text{C}} \times \text{V}_{2\text{S}}} \right) \times \text{G}} & \text{­­­(Equation 15)} \end{matrix}$

Turning to the common secret (CS) determined by the second node 7, Equation 12.1 can be substituted into Equation 14 as follows:

$\begin{matrix} {\text{S} = \text{V}_{2\text{S}} \times \text{P}_{2\text{C}}} & \text{­­­(Equation 14)} \end{matrix}$

S = V_(2S) × (V_(2C) × G)

$\begin{matrix} {\text{S} = \left( {\text{V}_{2\text{C}} \times \text{V}_{2\text{S}}} \right) \times \text{G}} & \text{­­­(Equation 16)} \end{matrix}$

Since ECC algebra is commutative, Equation 15 and Equation 16 are equivalent, since:

$\begin{matrix} {\text{S} = \left( {\text{V}_{2\text{C}} \times \text{V}_{2\text{S}}} \right) \times \text{G}\mspace{6mu}\text{=}\mspace{6mu}\left( {\text{V}_{2\text{S}} \times \text{V}_{2\text{C}}} \right) \times \text{G}} & \text{­­­(Equation 17)} \end{matrix}$

The Common Secret (CS) and Secret Key

The common secret (CS) may be used as a secret key, or as the basis of a secret key in a symmetric-key algorithm for secure communication between the first node 3 and second node 7.

The common secret (CS) may be in the form of an elliptic curve point (xs, ys). This may be converted into a standard key format using standard publicly known operations agreed by the nodes 3, 7. For example, the x_(S) value may be a 256-bit integer that could be used as a key for AES₂₅₆ encryption. It could also be converted into a 160-bit integer using RIPEMD 160 for any applications requiring this length key.

The common secret (CS) may be determined as required. Importantly, the first node 3 does not need to store the common secret (CS) as this can be re-determined based on the message (M). In some examples, the message(s) (M) used may be stored in data store 13, 17, 19 (or other data store) without the same level of security as required for the master private keys. In some examples, the message (M) may be publicly available.

However depending on some applications, the common secret (CS) could be stored in the first data store (X) associated with the first node provided the common secret (CS) is kept as secure as the first node master private key (V_(1C)).

Furthermore, the disclosed system may allow determination of multiple common secrets that may correspond to multiple secure secret keys based on a single master key cryptography pair. An advantage of this may be illustrated by the following example.

In situations where there are multiple sessions, each associated with multiple respective common secrets (CS), it may be desirable to have a record associated with those multiple sessions so that the respective common secrets (CS) can be re-determined for the future. In known systems, this may have required multiple secret keys to be stored in a secure data store, which may be expensive or inconvenient to maintain. In contrast, the present system has the master private keys kept secure at the respective first and second nodes, whilst the other deterministic keys, or message (M), may be stored either securely or insecurely. Despite the deterministic keys (DK, or message (M), being stored insecurely, the multiple common secrets (CS) are kept secure since the master private keys required to determine the common secrets are still secure.

The method may also be used for generating “session keys” for temporary communication links, such as for securely transmitting login passwords.

Peer-to Peer Authentication

In a peer-to-peer scenario, the first node 3 and the second node 7 may need to authenticate the credentials of one another. An example of this will now be described with reference to FIG. 6 . In this example, the method 300, 400 steps to authenticate the first node 3 based on the validated first signed message (SM1) are similar to those discussed above.

However, the method 400 performed by the second node 7 further includes generating 462 a second signed message (SM2) based on the message (M) and the second node private key (V_(2S)). In some alternatives, the second signed message (SM2) may be based on a second message (M2) and the second node private key (V_(2S)), where the second message (M2) is shared with the first node 3. The method 400 further includes sending 464 the second signed message (SM2), over the communications network 5, to the first node 3.

At the first node 3, the method 300 includes receiving the second signed message (SM2) from the second node 7. The method includes validating 374 the signature on the second signed message (SM2) with the second node second public key (P_(2S)) that was determined at step 370. The method 300 may then include authenticating 376 the second node 7 based on the result of validating the second signed message (SM2). This results in the first and second nodes 3, 7 authenticating one another.

Hierarchy of Deterministic Keys

In one example, a series of successive deterministic keys may be determined, where each successive key may be determined based on the preceding deterministic key.

For example, instead of repeating steps 310 to 370 and 410 to 470 to generate successive single-purpose keys, by prior agreement between the nodes, the previously used deterministic key (DK) can be rehashed repeatedly by both parties to establish a hierarchy of deterministic keys. In effect, the deterministic key, based on the hash of a message (M), can be a next generation message (M′) for the next generation of deterministic key (DK’). Doing this allows successive generations of shared secrets to be calculated without the need for further protocol-establishment transmissions, in particular transmission of multiple messages for each generation of common secrets. The next generation common secret (CS’ can be computed as follows.

Firstly, both the first node 3 and the second node 7 independently determine the next generation of the deterministic key (DK’). This is similar to steps 320 and 420 but adapted with the following formulas:

$\begin{matrix} {\text{M}^{\prime} = \text{SHA-256}\left( \text{M} \right)} & \text{­­­(Equation 18)} \end{matrix}$

$\begin{matrix} {\text{D}\text{K}^{\prime} = \text{SHA-256}\left( \text{M}^{\prime} \right)} & \text{­­­(Equation 19.1)} \end{matrix}$

$\begin{matrix} {\text{D}\text{K}^{\prime}\mspace{6mu}\text{=}\mspace{6mu}\text{SHA-256}\left( {\text{SHA-256}\left( \text{M} \right)} \right)} & \text{­­­(Equation 19.2)} \end{matrix}$

The first node 3 may then determine the next generation of the second node second public key (P_(2S)’) and the first node second private key (V_(2C)′) similar to steps 370 and 330 described above, but adapted with the following formulas:

$\begin{matrix} {\text{P}_{2\text{S}}{}^{\prime} = \text{P}_{\text{1S}}\mspace{6mu} + \text{D}\text{K}^{\prime}\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 20.1)} \end{matrix}$

$\begin{matrix} {\text{V}_{2\text{C}}{}^{\prime} = \text{V}_{1\text{C}} + \text{D}\text{K}^{\prime}} & \text{­­­(Equation 20.2)} \end{matrix}$

The second node 7 may then determine the next generation of the first node second public key (P_(2C)′) and the second node second private key (V_(2S)′) similar to steps 430 and 470 described above, but adapted with the following formulas:

$\begin{matrix} {\text{P}_{2\text{C}}{}^{\prime} = \text{P}_{\text{1C}}\mspace{6mu} + \text{D}\text{K}^{\prime}\mspace{6mu} \times \mspace{6mu}\text{G}} & \text{­­­(Equation 21.1)} \end{matrix}$

$\begin{matrix} {\text{V}_{2\text{S}}{}^{\prime} = \text{V}_{1\text{S}} + \text{D}\text{K}^{\prime}} & \text{­­­(Equation 21.2)} \end{matrix}$

The first node 3 and the second node 7 may then each determine the next generation common secret (CS′).

In particular, the first node 3 determines the next generation common secret (CS′) with the formula:

$\begin{matrix} {\text{C}\text{S}^{\prime}\mspace{6mu}\text{=}\mspace{6mu}\text{V}_{2\text{C}}{}^{\prime} \times \text{P}_{2\text{S}}{}^{\prime}} & \text{­­­(Equation 22)} \end{matrix}$

The second node 7 determines the next generation common secret (CS′) with the formula:

$\begin{matrix} {\text{CS'}\mspace{6mu}\text{=}\mspace{6mu}\text{V}_{2\text{S}}\prime\text{x}\mspace{6mu}\text{P}_{2\text{C}}\prime} & \text{­­­(Equation 23)} \end{matrix}$

Further generations (CS”, CS”’, etc.) can be calculated in the same way to create a chain hierarchy. This technique requires that both the first node 3 and the second node 7 keep track of the original Message (M) or the originally calculated deterministic key (DK), and to which node it relates. As this is publicly known information there are no security issues regarding the retention of this information. Accordingly, this information might be kept on ‘hash tables’ (linking hash values to public keys) and distributed freely across the network 5 (for example using Torrent). Furthermore, if any individual common secret (CS) in the hierarchy is ever compromised, this does not affect the security of any other common secrets in the hierarchy provided the private keys V_(1C), V_(1S) remain secure.

Tree Structure of Keys

As well as a chain (linear) hierarchy as described above, a hierarchy in the form of a tree structure can be created.

With a tree structure, a variety of keys for different purposes such as authentication keys, encryption keys, signing keys, payment keys, etc. may be determined whereby these keys are all linked to a single securely maintained master key.

Description of Embodiments

FIG. 7 shows a method embodying the present disclosure for sharing a first common secret among three nodes A, B and C, and a flowchart of the method is shown in FIG. 8 . Each node A, B, C is associated with its own private key/ public key pair (S, P), the private, public key pair of node A, for example, being (S_(A),P_(A)). Each private or public key may be derived from a respective master private key or master public key for that node and a deterministic key, in a manner similar to that described above with reference to FIGS. 1 to 6 . The private-public key pairs are key pairs of an elliptic curve cryptography system where, for example, P_(A) = S_(A) x G, where G is the elliptic curve generator point.

Secure communication between each pair of nodes A,B, A,C and B,C is established by determining a second common secret between each pair of nodes using a method as described above with reference to FIGS. 1 to 6 , in step 80 of FIG. 8 . In the arrangement shown in FIG. 7 , the following relations apply:

S_(A)P_(B) = S_(A)S_(B)G = S_(B)S_(A)G = S_(B)P_(A) = x₁

Similarly, S_(A)P_(C) = S_(C)P_(A) = x₂

And S_(B)P_(C) = S_(C)P_(B) = x₃

The first common secret to be shared among the nodes A, B, C is

x₁ ⊕ x₂ ⊕ x₃, where ⊕ denotes XOR operation.

Once a secure communication channel has been established between each pair of nodes, each node encrypts shares of the first secret, in the form of combinations of the second secrets known to that node, using private-public key pairs based on those second secrets in step 82 of FIG. 8 . This is done by each node encoding XOR combinations of pairs of the second common secrets x known to that node. Accordingly for node A, common secrets x₁ and x₂ are known to node A, so node A computes the combination x₁ ⊕ x₂, and then separately encodes this combination on the basis of the private key of the private-public key pair of its respective communication channel x₁ or x₂ with each other node. Node A then sends the combination x₁ ⊕ x₂, encrypted on the basis of x₁, to node B, and encrypted on the basis of x₂, to node C in step 84 of FIG. 8 . These encrypted shares are represented by E_(x1) [x₁ ⊕ x₂] and E_(x2) [x₁ ⊕ x₂] respectively.

Similarly, common secrets x₁ and x₃ are known to node B, where x₃ represents a third common secret, common to second node B and third node C. Node B computes the combination x₁ ⊕ x₃, and then separately encodes this combination on the basis of second common secrets x₁ and x₃ with each other node. Node B then sends E_(x1) [x₁ ⊕ x₃], the combination x₁ ⊕ x₃, encrypted on the basis of x₁, to node A, and E_(x3) [x₁ ⊕ x₃] encrypted on the basis of x₃, to node C in step 84 of FIG. 8 . Node C in turn computes the combination x₂ ⊕ x₃, and then separately encodes this combination on the basis of second common secrets x₂ and x₃ with each other node. Node C then sends E_(x2) [x₂ ⊕ x₃], the combination x₂ ⊕ x₃, encrypted on the basis of x₂, to node A, and E_(x3) [x₂ ⊕ x₃] encrypted on the basis of x₃, to node B in step 84 of FIG. 8 .

Each of the nodes A, B, C receives the encrypted shares from the other nodes and decrypts the encrypted shares in step 86 of FIG. 8 . As a result, each of the nodes can obtain the threshold number of shares necessary to reconstruct the first shared secret

x₁ ⊕ x₂ ⊕ x₃ as follows.

Node A receives the share x₂ ⊕ x₃ from node B and x₁ ⊕ x₃ from node C. Since node A knows x₁ and x₂ separately, it can easily compute the first common secret x₁ ⊕ x₂ ⊕ x₃ by XOR combination of x₁ with x₂ ⊕ x₃ or x₂ with x₁ ⊕ x₃ in step 88 of FIG. 8 . Similarly, node B receives the share x₁ ⊕ x₂ from node A and x₂ ⊕ x₃ from node C. Since node B knows x₁ and x₃ separately, it can easily compute the first common secret x₁ ⊕ x₂ ⊕ x₃ by XOR combination of x₁ with x₂ ⊕ x₃ or x₃ with x₂ ⊕ x₃. Also, node C receives the share x₁ ⊕ x₃ from node B and x₁ ⊕ x₂ from node A. Since node C knows x₂ and x₃ separately, it can easily compute the first common secret x₁ ⊕ x₂ ⊕ x₃ by XOR combination of x₂ with x₁ ⊕ x₃ or x₃ with x₁ ⊕ x₂.

Similarly to the manner described for the second common secrets above, the first common secret (CS) may be in the form of an elliptic curve point (xs, ys). This may be converted into a standard key format using standard publicly known operations agreed by the nodes 3, 7. For example, the x_(S) value may be a 256-bit integer that could be used as a key for AES₂₅₆ encryption. It could also be converted into a 160-bit integer using RIPEMD160 for any applications requiring this length key.

It is possible to distribute shares of the first common secret by other means than XOR encryption, although XOR encryption provides the advantage of obscuring the second common secrets when broadcast in scripts of blockchain transactions, so that it is not possible for third parties to determine the second common secrets without knowledge of a threshold number of other second common secrets. For example, simple arithmetic multiplication of the second common secrets of the form (x₁.x₂.x₃) mod n can be used, where n is the order of the elliptic curve cryptography system used.

In addition, the shares of the first common secret can be distributed as shares of a polynomial function using a Shamir secret sharing scheme or a dealerless secret sharing scheme as will be familiar to persons skilled in the art. In the case in which the shares of the first common secret are shares of a polynomial function, efficient recovery of the first common secret can be carried out by means of a Berlekamp-Welch decoder as shown in FIG. 9 . Referring to FIG. 9 , the Berlekamp-Welch decoder 70 carries out polynomial interpolation of shares of a polynomial function to obtain the polynomial function.

In conventional use of the Berlekamp-Welch algorithm for correcting errors in transmitted data, a message m is divided into a series of k bytes at an encoder 72, and each byte c₀, c₁, ... c_(k-1) is encoded as an integer modulo p. The message is then represented by a polynomial function:

$\text{m}\left( \text{x} \right) = {\sum_{i = 0}^{k - 1}{c_{i}x^{i}}}$

The value of polynomial function m(x) is then determined for a number of known values of x to generate a series of (x, y) pairs, which are then transmitted by a transmitter 74 to a receiver 76.

The data M received at the receiver 76 (i.e. the received message) comprises pairs (a₁, b₁, ... a_(n), b_(n)) corresponding to points on the polynomial function representing the original message

$\text{P}\left( \text{x} \right) = \text{m}\left( \text{x} \right) = {\sum_{i = 0}^{k - 1}{c_{i}x^{i}}}$

If it is assumed that some of the transmitted (x, y) pairs have been corrupted during transmission, then an error locator polynomial function can be defined as follows:

E(a_(i)) = 0, when P(a_(i)) ≠ b_(i); otherwise E(a_(i)) ≠ 0

If a product polynomial function Q(a_(i)) is defined as

Q(a_(i)) = b_(i)E_(i)(a_(i))

Then for each received (a_(i), b_(i)) pair, regardless of whether the value of b_(i) has become has been corrupted

Q(a_(i)) = b_(i)E_(i)(a_(i)) = P(a_(i))E_(i)(a_(i)), since E(a_(i)) = 0, whenP(a_(i)) ≠ b_(i)

For n known values of (a_(i), b_(i), since E(a_(i)) is a polynomial function of degree e, and P(a_(i)) is a polynomial function of degree (k-1)), then Q(a_(i)) is a polynomial function of degree (e + k - 1). The known values of (a_(i), b_(i)) can therefore be expressed as the linear system:

$Q\left( a_{i} \right) = {\sum\limits_{j = 0}^{e + k - 1}{q_{i}a_{i}^{j} = b_{i}}}{\sum\limits_{j = 0}^{e}{e_{j}a_{i}^{j}}} = b_{i}E_{i}\left( a_{i} \right)$

The linear system contains 2e + k - 1 unknown terms (e from E(x) and e + k - 1 from Q(x)), as a result of which the coefficients of Q(a_(i)) and E(a_(i)) can be determined if n ≥ 2e + k - 1. If Q(a_(i)) and E(a_(i)) can be determined, it is possible to determine P(a_(i)) to recover the original message m(x).

It can therefore be seen that the Berlekamp-Welch decoder 70 receives as inputs pairs representing points on a polynomial function, and outputs the polynomial function. The decoder 70 can therefore be used as a replacement for Lagrange interpolation in the present disclosure to determine a polynomial function from a threshold number of shares represented by that polynomial function.

FIG. 10 shows a method embodying the present disclosure for sharing a first common secret among four nodes A, B, C and D. Each node A, B, C, D is associated with its own private key/public key pair (S, P), the private, public key pair of node A, for example, being (S_(A),P_(A)). Each private or public key may be derived from a respective master private key or master public key for that node and a deterministic key, in a manner similar to that described above with reference to FIGS. 1 to 6 . The private-public key pairs are key pairs of an elliptic curve cryptography system where, for example, P_(A) = S_(A) x G, where G is the elliptic curve generator point.

Secure communication between each pair of nodes A,B, A,C, A,D, B,C, B,D and C,D is established by determining a second common secret between each pair of nodes using a method as described above with reference to FIGS. 1 to 6 . In the arrangement shown in FIG. 10 , the following relations apply:

S_(A)P_(B) = S_(A)S_(B)G = S_(B)S_(A)G = S_(B)P_(A) = x₁

S_(A)P_(C) = S_(C)P_(A) = x₂

S_(A)P_(D) = S_(D)P_(A) = x₃

S_(B)P_(C) = S_(C)P_(B) = x₄

S_(B)P_(D) = S_(D)P_(B) = x₅

And S_(C)P_(D) = S_(D)P_(C) = x₆

The first common secret to be shared among the nodes A, B, C and D is x₁ ⊕ x₂ ⊕ x₃ ⊕ x₄ ⊕ x₅ ⊕ x₆.

Once a secure communication channel has been established between each pair of nodes, each node encrypts shares of the first secret, in the form of combinations of the second secrets known to that node, using private-public key pairs based on those second secrets in a manner similar to the method described with reference to FIGS. 7 and 8 . This is done by each node encoding XOR combinations of pairs of the second common secrets x known to that node. Accordingly for node A, common secrets x₁, x₂ and x₃ are known to node A, so node A computes the combinations x₁ ⊕ x₂, x₁ ⊕ x₃ and x₂ ⊕ x₃, and then separately encodes this combination on the basis of the private key of the private-public key pair of its respective communication channel x₁, x₂ or x₃ with each other node. In the present embodiment, the separate combinations [x₁ ⊕ x₂; x₁ ⊕ x₃; x₂ ⊕ x₃] are abbreviated in FIG. 10 as [Ashares]. The encoded combinations are then represented as E_(x1)[x₁ ⊕ x₂; x₁ ⊕ x₃; x₂ ⊕ x₃], or E_(x1)[Ashares], E_(x2)[x₁ ⊕ x₂; x₁ ⊕ x₃; x₂ ⊕ x₃], or E_(x2)[Ashares] and E_(x3)[x₁ ⊕ x₂; x₁ ⊕ x₃; x₂ ⊕ x₃], or E_(x3)[Ashares]. Node A then sends E_(x1)[Ashares] to node B, with which x₁ is common, E_(x2)[Ashares] to node C, with which x₂ is common, and E_(x3)[Ashares] to node D, with which x₃ is common.

In a similar manner, node B computes the following combinations:

[x₁ ⊕ x₄; x₁ ⊕ x₅; x₄ ⊕ x₅] = [Bshares]

and encrypts and sends the following:

E_(x1)[x₁ ⊕ x₄; x₁ ⊕ x₅; x₄ ⊕ x₅] = E_(x1)[Bshares]to node A

E_(x4)[x₁ ⊕ x₄; x₁ ⊕ x₅; x₄ ⊕ x₅] = E_(x4)[Bshares]to node C

E_(x5)[x₁ ⊕ x₄; x₁ ⊕ x₅; x₄ ⊕ x₅] = E_(x5)[Bshares]to node D

Node C computes the following combinations:

[x₂ ⊕ x₄; x₂ ⊕ x₆; x₄ ⊕ x₆] = [Cshares]

and encrypts and sends the following:

E_(x2)[x₂ ⊕ x₄; x₂ ⊕ x₆; x₄ ⊕ x₆] = E_(x2)[Cshares]to node A

E_(x4)[x₂ ⊕ x₄; x₂ ⊕ x₆; x₄ ⊕ x₆] = E_(x4)[Cshares]to node B

E_(x6)[x₂ ⊕ x₄; x₂ ⊕ x₆; x₄ ⊕ x₆] = E_(x6)[Cshares]to node D

And Node D computes the following combinations:

[x₃ ⊕ x₅; x₃ ⊕ x₆; x₅ ⊕ x₆] = [Dshares]

and encrypts and sends the following:

E_(x3)[x₃ ⊕ x₅; x₃ ⊕ x₆; x₅ ⊕ x₆] = E_(x3)[Dshares]to node A

E_(x5)[x₃ ⊕ x₅; x₃ ⊕ x₆; x₅ ⊕ x₆] = E_(x5)[Dshares]to node B

E_(x6)[x₃ ⊕ x₅; x₃ ⊕ x₆; x₅ ⊕ x₆] = E_(x6)[Dshares]to node C.

Each of the nodes A, B, C, D receives the encrypted shares from the other nodes and decrypts the encrypted shares in using the private key corresponding to the appropriate second common secret x₁, x₂, x₃, x₄, x₅ or x₆, as a result of which each of the nodes can obtain the threshold number of shares necessary to reconstruct the first common secret x₁ ⊕ x₂ ⊕ x₃ ⊕ x₄ ⊕ x₅ ⊕ x₆ as follows.

Node A receives the shares x₁ ⊕ x₄, x₁ ⊕ x₅ and x₄ ⊕ x₅ from node B and knows x₁, x₂ and x₃ separately, and can therefore calculate x₄ and x₅ from x₁ ⊕ x₁ ⊕ x₄ and x₁ ⊕ x₁ ⊕ x₅ respectively. Node A also receives the shares x₂ ⊕ x₄, x₂ ⊕ x₆ and x₄ ⊕ x₆ from node C and knows x₁, x₂ and x₃ separately, and can therefore calculate x₆ from x₂ ⊕ x₂ ⊕ x₆, and as a result knows x₁ to x₆ separately and can compute the first common secret.

By operating a similar process, each of the other nodes B, C and D can obtain all of the second common secrets to determine the first common secret which is now shared among all of the nodes.

Turning now to FIG. 11 , there is provided an illustrative, simplified block diagram of a computing device 2600 that may be used to practice at least one embodiment of the present disclosure. In various embodiments, the computing device 2600 may be used to implement any of the systems illustrated and described above. For example, the computing device 2600 may be configured for use as a data server, a web server, a portable computing device, a personal computer, or any electronic computing device. As shown in FIG. 11 , the computing device 2600 may include one or more processors with one or more levels of cache memory and a memory controller (collectively labelled 2602) that can be configured to communicate with a storage subsystem 2606 that includes main memory 2608 and persistent storage 2610. The main memory 2608 can include dynamic random-access memory (DRAM) 2618 and read-only memory (ROM) 2620 as shown. The storage subsystem 2606 and the cache memory 2602 and may be used for storage of information, such as details associated with transactions and blocks as described in the present disclosure. The processor(s) 2602 may be utilized to provide the steps or functionality of any embodiment as described in the present disclosure.

The processor(s) 2602 can also communicate with one or more user interface input devices 2612, one or more user interface output devices 2614, and a network interface subsystem 2616.

A bus subsystem 2604 may provide a mechanism for enabling the various components and subsystems of computing device 2600 to communicate with each other as intended. Although the bus subsystem 2604 is shown schematically as a single bus, alternative embodiments of the bus subsystem may utilize multiple busses.

The network interface subsystem 2616 may provide an interface to other computing devices and networks. The network interface subsystem 2616 may serve as an interface for receiving data from, and transmitting data to, other systems from the computing device 2600. For example, the network interface subsystem 2616 may enable a data technician to connect the device to a network such that the data technician may be able to transmit data to the device and receive data from the device while in a remote location, such as a data centre.

The user interface input devices 2612 may include one or more user input devices such as a keyboard; pointing devices such as an integrated mouse, trackball, touchpad, or graphics tablet; a scanner; a barcode scanner; a touch screen incorporated into the display; audio input devices such as voice recognition systems, microphones; and other types of input devices. In general, use of the term “input device” is intended to include all possible types of devices and mechanisms for inputting information to the computing device 2600.

The one or more user interface output devices 2614 may include a display subsystem, a printer, or non-visual displays such as audio output devices, etc. The display subsystem may be a cathode ray tube (CRT), a flat-panel device such as a liquid crystal display (LCD), light emitting diode (LED) display, or a projection or other display device. In general, use of the term “output device” is intended to include all possible types of devices and mechanisms for outputting information from the computing device 2600. The one or more user interface output devices 2614 may be used, for example, to present user interfaces to facilitate user interaction with applications performing processes described and variations therein, when such interaction may be appropriate.

The storage subsystem 2606 may provide a computer-readable storage medium for storing the basic programming and data constructs that may provide the functionality of at least one embodiment of the present disclosure. The applications (programs, code modules, instructions), when executed by one or more processors, may provide the functionality of one or more embodiments of the present disclosure, and may be stored in the storage subsystem 2606. These application modules or instructions may be executed by the one or more processors 2602. The storage subsystem 2606 may additionally provide a repository for storing data used in accordance with the present disclosure. For example, the main memory 2608 and cache memory 2602 can provide volatile storage for program and data. The persistent storage 2610 can provide persistent (non-volatile) storage for program and data and may include flash memory, one or more solid state drives, one or more magnetic hard disk drives, one or more floppy disk drives with associated removable media, one or more optical drives (e.g. CD-ROM or DVD or Blue-Ray) drive with associated removable media, and other like storage media. Such program and data can include programs for carrying out the steps of one or more embodiments as described in the present disclosure as well as data associated with transactions and blocks as described in the present disclosure.

The computing device 2600 may be of various types, including a portable computer device, tablet computer, a workstation, or any other device described below. Additionally, the computing device 2600 may include another device that may be connected to the computing device 2600 through one or more ports (e.g., USB, a headphone jack, Lightning connector, etc.). The device that may be connected to the computing device 2600 may include a plurality of ports configured to accept fibre-optic connectors. Accordingly, this device may be configured to convert optical signals to electrical signals that may be transmitted through the port connecting the device to the computing device 2600 for processing. Due to the ever-changing nature of computers and networks, the description of the computing device 2600 depicted in FIG. 11 is intended only as a specific example for purposes of illustrating the preferred embodiment of the device. Many other configurations having more or fewer components than the system depicted in FIG. 11 are possible.

It should be noted that the above-mentioned embodiments illustrate rather than limit the disclosure, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the disclosure as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word “comprising” and “comprises”, and the like, does not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole.

In the present specification, “comprises” means “includes or consists of” and “comprising” means “including or consisting of”. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The disclosure may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage. 

What is claimed is:
 1. A method of sharing a first common secret among a plurality of nodes, wherein each said node is associated with a respective asymmetric cryptography first key pair having a respective first private key and a respective first public key of a cryptography system common to said plurality of nodes, and wherein the first common secret is based on the first private key of each of said nodes, the method comprising: determining, for at least one first node, a plurality of second common secrets, wherein each said second common secret is common to said first node and a respective second node, is determined at said first node on the basis of the first private key of the first node and the first public key of the second node, and is determined at the second node on the basis of the first private key of the second node and the first public key of the first node, wherein a plurality of shares of the first common secret are each based on at least one respective second common secret such that said first common secret is accessible to a threshold number of said shares but is inaccessible to less than said threshold number of said shares; determining, for at least one second node, at least one respective third common secret, wherein each respective third common secret is common to said second node and a respective third node, is determined at said second node on the basis of the first private key of the second node and the first public key of the third node, and is determined at the third node on the basis of the first private key of the third node and the first public key of the second node, and wherein at least one share of the first common secret is based on at least one respective said third common secret; encrypting, at at least one said first node, at least one share of said first common secret known to said first node, on the basis of a respective encryption key common to said first node and a respective said second node, wherein said encryption key is based on a respective said second common secret known to said first node and said second node; sending at least one said encrypted share from said first node to the respective said second node with which the second common secret on which said second key pair is based is common; and receiving, at at least one said first node, from at least one said second node, at least one respective share of said first common secret known to said second node and encrypted on the basis of a respective encryption key common to said first node and said second node, wherein said encryption key based on the second common secret common to said first node and said second node, to enable said first node to access at least one share of said first common secret known to said second node.
 2. The method according to claim 1, wherein said encrypting comprises encrypting a plurality of shares based on a combination of a plurality of said second or third common secrets known to the corresponding said node.
 3. The method according to claim 2, wherein said encrypting comprises encrypting a plurality of shares based on at least one respective XOR combination of a plurality of said second or third common secrets known to the corresponding said node.
 4. The method according to claim 2, wherein said encrypting comprises encrypting a plurality of shares based on multiplicative combination of a plurality of said second or third common secrets known to the corresponding said node.
 5. The method according to claim 4, wherein the multiplicative combination is of the form (x₁ x₂ x₃₎ mod n, wherein x₁,x₂, _(x3) are second or third common secrets known to a node, and n is an order of a cryptography system.
 6. The method according to claim 1, wherein a plurality of said shares are shares of a first polynomial function, and the first secret is determined by means of polynomial interpolation of at least a threshold number of said shares.
 7. The method according to claim 6, further comprising: receiving at least a threshold number of shares of said first common secret, wherein each said share corresponds to a respective value of the first polynomial function; and determining said first polynomial function, by means of determining coefficients of the first polynomial function from a plurality of known values of said shares, to determine said first common secret.
 8. The method according to claim 7, wherein the step of determining said first polynomial function comprises executing an error correction algorithm.
 9. The method according to claim 8, wherein the step of determining said first polynomial function comprises executing a Berlekamp-Welch decoding algorithm.
 10. The method according to claim 7, wherein the step of determining said first polynomial function comprises: defining an error locator polynomial function and a second polynomial function, wherein the second polynomial function is a product of said first polynomial function and said error locator polynomial function, determining coefficients of said second polynomial function and said error locator polynomial function from a plurality of known values of said first polynomial function, and determining said first polynomial function from said second polynomial function and an error detector polynomial function, to determine the first common secret.
 11. The method according to claim 1, wherein at least one said cryptography system has a homomorphic property.
 12. The method according to claim 11, wherein at least one said cryptography system is an elliptic curve cryptography system. 13-26. (canceled)
 27. A method of secure communication between a plurality of nodes, wherein the method comprises: sharing a first common secret among a plurality of nodes by: determining, for at least one first node, a plurality of second common secrets, wherein each said second common secret is common to said first node and a respective second node, is determined at said first node on the basis of the first private key of the first node and the first public key of the second node, and is determined at the second node on the basis of the first private key of the second node and the first public key of the first node, wherein a plurality of shares of the first common secret are each based on at least one respective second common secret such that said first common secret is accessible to a threshold number of said shares but is inaccessible to less than said threshold number of said shares; determining, for at least one second node, at least one respective third common secret, wherein each respective third common secret is common to said second node and a respective third node, is determined at said second node on the basis of the first private key of the second node and the first public key of the third node, and is determined at the third node on the basis of the first private key of the third node and the first public key of the second node, and wherein at least one share of the first common secret is based on at least one respective said third common secret; encrypting, at at least one said first node, at least one share of said first common secret known to said first node, on the basis of a respective encryption key common to said first node and a respective said second node, wherein said encryption key is based on a respective said second common secret known to said first node and said second node; sending at least one said encrypted share from said first node to the respective said second node with which the second common secret on which said second key pair is based is common; and receiving, at at least one said first node, from at least one said second node, at least one respective share of said first common secret known to said second node and encrypted on the basis of a respective encryption key common to said first node and said second node, wherein said encryption key is based on the second common secret common to said first node and said second node, to enable said first node to access at least one share of said first common secret known to said second node; determining a symmetric-key based on the first common secret; encrypting a first communication message, with the symmetric-key, to an encrypted first communication message; and sending, over a communications network, the encrypted first communication message from one of said plurality of nodes to the other nodes of said plurality of nodes.
 28. The method according to claim 27, further comprising: receiving, over a communications network, an encrypted second communication message from a node of said plurality of nodes; and decrypting the encrypted second communication message, with the symmetric-key, to a second communication message.
 29. A method of performing an online transaction between a plurality of nodes, wherein the method comprises: sharing a first common secret among a plurality of nodes by determining, for at least one first node, a plurality of second common secrets, wherein each said second common secret is common to said first node and a respective second node, is determined at said first node on the basis of the first private key of the first node and the first public key of the second node, and is determined at the second node on the basis of the first private key of the second node and the first public key of the first node, wherein a plurality of shares of the first common secret are each based on at least one respective second common secret such that said first common secret is accessible to a threshold number of said shares but is inaccessible to less than said threshold number of said shares; determining, for at least one second node, at least one respective third common secret, wherein each respective third common secret is common to said second node and a respective third node, is determined at said second node on the basis of the first private key of the second node and the first public key of the third node, and is determined at the third node on the basis of the first private key of the third node and the first public key of the second node, and wherein at least one share of the first common secret is based on at least one respective said third common secret; encrypting, at at least one said first node, at least one share of said first common secret known to said first node, on the basis of a respective encryption key common to said first node and a respective said second node, wherein said encryption key is based on a respective said second common secret known to said first node and said second node; sending at least one said encrypted share from said first node to the respective said second node with which the second common secret on which said second key pair is based is common; and receiving, at at least one said first node, from at least one said second node, at least one respective share of said first common secret known to said second node and encrypted on the basis of a respective encryption key common to said first node and said second node, wherein said encryption key is based on the second common secret common to said first node and said second node, to enable said first node to access at least one share of said first common secret known to said second node; determining a symmetric-key based on the first common secret; encrypting a first transaction message, with the symmetric-key, to an encrypted first transaction message; sending, over a communications network, the encrypted first transaction message from a first node of said plurality of nodes to the other nodes of said plurality of nodes.
 30. A system, comprising: a processor; and memory including executable instructions that, as a result of execution by the processor, causes the system to perform a method of sharing a first common secret among a plurality of nodes, wherein each said node is associated with a respective asymmetric cryptography first key pair having a respective first private key and a respective first public key of a cryptography system common to said plurality of nodes, and wherein the first common secret is based on the first private key of each of said nodes, the method comprising: determining, for at least one first node, a plurality of second common secrets, wherein each said second common secret is common to said first node and a respective second node, is determined at said first node on the basis of the first private key of the first node and the first public key of the second node, and is determined at the second node on the basis of the first private key of the second node and the first public key of the first node, wherein a plurality of shares of the first common secret are each based on at least one respective second common secret such that said first common secret is accessible to a threshold number of said shares but is inaccessible to less than said threshold number of said shares; determining, for at least one second node, at least one respective third common secret, wherein each respective third common secret is common to said second node and a respective third node, is determined at said second node on the basis of the first private key of the second node and the first public key of the third node, and is determined at the third node on the basis of the first private key of the third node and the first public key of the second node, and wherein at least one share of the first common secret is based on at least one respective said third common secret; encrypting, at at least one said first node, at least one share of said first common secret known to said first node, on the basis of a respective encryption key common to said first node and a respective said second node, wherein said encryption key is based on a respective said second common secret known to said first node and said second node; sending at least one said encrypted share from said first node to the respective said second node with which the second common secret on which said second key pair is based is common; and receiving, at at least one said first node, from at least one said second node, at least one respective share of said first common secret known to said second node and encrypted on the basis of a respective encryption key common to said first node and said second node, wherein said encryption key is based on the second common secret common to said first node and said second node, to enable said first node to access at least one share of said first common secret known to said second node.
 31. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to perform a method of sharing a first common secret among a plurality of nodes, wherein each said node is associated with a respective asymmetric cryptography first key pair having a respective first private key and a respective first public key of a cryptography system common to said plurality of nodes, and wherein the first common secret is based on the first private key of each of said nodes, the method comprising: determining, for at least one first node, a plurality of second common secrets, wherein each said second common secret is common to said first node and a respective second node, is determined at said first node on the basis of the first private key of the first node and the first public key of the second node, and is determined at the second node on the basis of the first private key of the second node and the first public key of the first node, wherein a plurality of shares of the first common secret are each based on at least one respective second common secret such that said first common secret is accessible to a threshold number of said shares but is inaccessible to less than said threshold number of said shares; determining, for at least one second node, at least one respective third common secret, wherein each respective third common secret is common to said second node and a respective third node, is determined at said second node on the basis of the first private key of the second node and the first public key of the third node, and is determined at the third node on the basis of the first private key of the third node and the first public key of the second node, and wherein at least one share of the first common secret is based on at least one respective said third common secret; encrypting, at at least one said first node, at least one share of said first common secret known to said first node, on the basis of a respective encryption key common to said first node and a respective said second node, wherein said encryption key is based on a respective said second common secret known to said first node and said second node; sending at least one said encrypted share from said first node to the respective said second node with which the second common secret on which said second key pair is based is common; and receiving, at at least one said first node, from at least one said second node, at least one respective share of said first common secret known to said second node and encrypted on the basis of a respective encryption key common to said first node and said second node, wherein said encryption key is based on the second common secret common to said first node and said second node, to enable said first node to access at least one share of said first common secret known to said second node. 